ES2338419T3 - DELIVERY OF ADDITIONAL INFORMATION NECESSARY FOR THE ESTABLISHMENT OF A CONNECTION. - Google Patents

Abstract

Distribution e.g. of a shared secret or such information in a multiple operator system (100) supporting roaming may be implemented by utilizing a domain name server (5). When host-related additional information (533) needed in connection setup is maintained host-specifically at the domain name server, a response including the additional information needed in connection setup, or some of such information, may be sent to a query received at the domain name server. <IMAGE>

Description

Delivery of additional information necessary for Establishing a connection.

Field of the Invention

The present invention is about additional information necessary for the establishment of a connection between servers, and in particular about the delivery of such information to allow the establishment of the Connection.

Background of the invention

In telecommunications, it is accentuated every time plus the role of mobile communication systems. Normally, a mobile communications system refers to any telecommunications system that allows communication while users move through the service area of the system. Therefore, the most important service of a system of mobile communications is to allow a subscriber to call, and be call, regardless of the location of the subscriber in the area of system coverage. Therefore, interworking of networks and roaming between the networks of different operators are basic requirements to allow the use of various services, as future wireless Internet services, when a user It is introduced into the networks of other operators. In connection with the interconnection and roaming, you should also keep in mind that in addition to mobile communications networks, such as networks based on a GSM system, local area networks can also be used Wireless WLANs and a combination of local area networks wireless and mobile communications networks in a system mobile communications, so that a mobile communications network through a local area network wireless

When a user resides in the area of a network visited, normally, is verified on a network contracted by half of the visited network before the user is allowed to access to network services. Therefore, the servers of verification or similar of the contracted network and the visited network deliver verification requests and other related messages with the verification with each other. However, the secret identifier of the user, or similar, used in the verification cannot deliver as unencrypted text from one server to another. A transfer, for example, between RADIUS servers takes place from so that RADIUS servers verify each other based on a common shared secret or they transmit the information using  a shared common secret key known only to those servers

A problem of the provision mentioned previously it is that for common shared secrets, each own operator has to keep in its own network separately statically configured lists of different servers and related secrets These lists are difficult to maintain, in particularly when there are hundreds of roaming partner operators. For example, if operator A changes his server address RADIUS, operator A must send the new address to others operators, and each of them has to update their own ready to allow a subscriber of operator A to succeed in the roaming The situation is even more difficult if the operator changes a secret, given that the new secret must be delivered to others operators reliably.

Zao J et al : "A public-key based secure Mobile IP" Wireless Networks, ACM, US, vol. 5, No. 5, October 1999 (1999-10), pages 373-390, XP000902493 ISSN: 1022-0038 discloses a system in which certificates are stored, with which an identity of a mobile node can be verified during Access to the network, in the domain name system and are added to the regular transactions of the domain name system.

Eastlake D: "RFC 2535 - Domain Name Security Extensions "Network working group, March 1999 (1999-03), XP002174063 discloses extensions of security of a domain name system that allows storage of verified public keys in the system domain names and their delivery with the resource record actually requested from the domain name system.

Brief Description of the Invention

Therefore, an object of the invention is provide a procedure and apparatus that implements the procedure, so that the problem is allowed to be solved previously mentioned. The objective of the invention is achieved by means of a procedure, a domain name server and a verification server that are characterized by what revealed in the independent claims. The realizations Preferred of the invention are disclosed in the dependent claims.

The invention is based on the detection of a problem and in its solution, so that in addition to the host, as a verification server, information from the address, additional information specific to the host in a domain name server that maintains information on addresses on servers, additional information that can be necessary to establish a connection with the host. Bliss Additional information includes at least one shared secret, such as a key. In addition, such additional information may include information related to a transmission protocol that should be support, as the identifier of a host version in issue, as a receiver, is able to interpret, or said Additional information may include both examples disclosed above and / or similar information. Here, establishment of connection refers to establishing a state that allows it to can transmit information from one server to another.

An advantage of the procedure and the system of the invention is that neither the information nor the information has to be stored additional in a system more than once, and each operator included in the system receives it from the same server as information from address. An additional advantage is that the need for maintain a statically configured list on each network and it They avoid many problems regarding the distribution of a password. These problems include providing reliable key distribution changed to partners and enter a changed password in the system of an interconnection partner, which takes place manually and, by Therefore, it is a slow error prone procedure. Given that the Additional information resides on a domain name server, the need to build a separate infrastructure is avoided only to store and retrieve additional information, such as keys.

In a preferred embodiment of the invention, the domain name server is a system server closed. The advantage is that it can be maintained and distributed Secret information in a simple way.

Brief description of the drawings

The invention will now be described with greater detail in connection with the preferred embodiments and with reference to the attached drawings, in which

Figure 1 is a simplified diagram of blocks of the architecture of an exemplary system;

Figure 2 shows the emission of signals in a exemplary embodiment of the invention; Y

Figure 3 shows the emission of signals in a second exemplary embodiment of the invention.

Detailed description of the invention

The present invention can be applied in connection with any telecommunications system that supports roaming, in which additional information is required for establishing the connection between different servers. Such systems include, for example, systems in which a wireless local area network is connected to a wide area network, such as a common mobile communications network. Said wireless local area network may be, for example, an IEEE 802.11 or HIPERLAN type network that uses a radio interface, such as Bluetooth , infrared or other corresponding wireless access technology such as the transmission path of an air interface. A wide area network can be based, for example, on systems called third-generation mobile communications systems, such as UMTS, and systems based on them, as well as on a GSM system and similar mobile communications systems, such as GSM 1800 and PCS (Personal Communications System), and systems based on the systems mentioned above, such as GSM2 + systems. The invention can also be applied when using another wireless system, a fixed system, a simple mobile communications system or a combination of several systems in which, for example, one of the systems may be based on a fixed system while the The rest of the systems are based on a wireless system.

In the following, the invention will be described using a GRX system (GPRS roaming exchange) as an exemplary system without restricting the invention thereto. The GRX it comprises, for example, a centralized routing network of IP (Internet Protocol) that connects different networks operators and allows routing. It is used, for example, to implement WLAN roaming and GPRS roaming, particularly when the visited network comprises a WLAN network as a local area network that provides access to the visited network. A property of GRX is that it allows a system to be implemented closed. The specifications of the systems telecommunications, and in particular those of the systems of Wireless telecommunications, develop rapidly. Saying development may require additional changes in the invention. By therefore, all words and expressions should be interpreted in its broadest sense, and that is only intended describe, not restrict, the invention. As regards the invention, the relevant point is the function rather than the fact of in which node of the network resides the invention.

Figure 1 shows an architecture simplified network that only shows some of the elements of an exemplary architecture of a system. Network nodes shown in Figure 1 are logical units whose implementation It may be different from the one shown. It is evident to an expert in technique that the system can also comprise other functions and structures that do not need to be described in detail herein  document.

The exemplary system 100 of Figure 1 comprises a user equipment UE 1, a visited network VN 2, an internal network 3 between network operators to allow a connection to be established from the visited network VN 2 with a contracted network HN 4 of the equipment user name, and a DNS domain name server 5.

In this context, the user team UE 1 makes reference generally to an entity constituted by a subscriber and The real terminal equipment. The terminal equipment can be any terminal equipment or a combination thereof capable of communicate in system 100. The terminal equipment can be, by For example, a laptop or a mobile phone. The team of user UE 1 is connected to the system by means of base stations of transceivers of the visited network VN 2 (not shown in the figure).

The visited network VN 2 comprises one or more AC 22 network access controls arranged, for example, to authenticate the user equipment on the contracted network through a verification server of the visited network.

In addition, the visited network VN 2 comprises a verification RADIUS-V 21 proxy server. It is a RADIUS server, that is, a server for identification, access control, delivery of configuration information and / or user statistics, which uses a RADIUS protocol. The AC 22 may request verification of the user equipment UE 1, information about the use of configurations and / or user rights of the user equipment. Among other things, the RADIUS-V proxy delivers service requests to other servers, such as to a corresponding server of the HN 5 contracted network of the terminal equipment UE 1. The RADIUS-V proxy does not participate in the verification of equipment itself. User roaming except to deliver messages, but can participate in the collection and transfer of billing information.

In the example of Figure 1, network 3 is a centralized IP routing network that connects the networks of different operators and allows roaming. Preferably, the network 3 is a closed network that is designed for operators that agree roaming provisions and to which no third party It has access.

The contracted network HN 4 comprises a Radius proxy server RADIUS-H check 41, which may reside verification information, for example, a user to a contracted network, ie, the user. The RADIUS-H proxy participates, for example, in the verification itself of the contracted user equipment that is being introduced in some other network.

The DNS 5 domain name server comprises transformer software capable of converting domain names, that is, area names, used on the Internet into numerical IP addresses and vice versa according to a DNS (Domain Name System) known to an expert in the technique An area name identifies a host, that is, a specific server or a group of servers. DNS 5 is a decentralized directory and describes a hierarchy of name service that allows the domain name server of the area name of each operator to be found, the domain name server that maintains information about local names and in what Domain name server, for example, updates the operator IP addresses and additional information, so that they do not have to be updated elsewhere.

In the exemplary system, DNS 5 comprises 53 specific host data fields that include a host 531, an IP address 532 and various records, at least one of which 533 comprises additional information according to the invention. In the exemplary system shown in the Figure 1, all additional information is added to a record of TXT 533 unstructured text. Preferably, the information Additional has been added using a format that has been subject to mutual agreement. For example, a key used as a secret shared could have the format "Key = hippa" for the operator A. So, this is used as a shared secret when a connection to an IP address is established corresponding to the area name of the operator A. In some others embodiments, a specific record may have been determined for additional information, or you may have determined a specific record for each type of additional information, or by example, a shared secret has been added to a text record not built, and a specific record has been determined for the protocol version and / or a specific record has been determined for other additional information.

Since the exemplary system is a system closed, that is, a differentiated Internet system, the hierarchy  The DNS domain name server includes a "root." By therefore, from the point of view of network operators, the System is reliable and inviolable information. At the moment description, the DNS usually illustrates a conversion server of addresses that works on the same principle as a DNS of Internet.

The use of a domain name server provides the advantage that when an operator, for example, change the additional information or an IP address, this is only update on the operator's own domain name server, and when such information is needed the next time, the DNS the will find.

Figure 2 shows the emission of signals and the operation of the servers according to an exemplary embodiment of the invention. The user equipment UE is switched on, for example, in the area of a transceiver base station of a visited network, and begins its registration procedure. In Figure 2, the procedure begins at a stage where a 2-1 registration request is received on a RADIUS VRP proxy of the visited network. The above steps are irrelevant to the invention and are well known to one skilled in the art, so they do not have to be described in greater detail herein. In this example, the registration request 2-1 includes necessary information in the user verification of the user equipment, that is, a name and a user password, for example. Directly or indirectly, the username indicates the area name of a contracted network and has, for example, the format name.name Surname@operadorA.xyz . Depending on the implementation, the username can also indicate a single server or a group of servers.

After receiving the messages 2-1, the V-R-P, using prior art procedures, for example, find out, from the username if the user is a user in the contracted network or if the user is an itinerant subscriber. In this example, the user is a roaming subscriber, and the V-R-P sends a query in a Message 2-2 to a DNS domain name server. The query includes the area name indicated by the name of Username.

       \ newpage
    

In this embodiment of the invention, the DNS search your hierarchy for a data field corresponding to the name of area included in query 2-2, retrieves the IP address and additional information and sends them to V-R-P in a message 2-3.

After receiving the information, the VRP separates the IP address and additional information from message 2-3 and sends a message 2-4 to the IP address, that is, in this example of the RADIUS HRP proxy of the user's contracted network. Message 2-4 includes additional information separate from message 2-3, for example, a shared secret. The HRP verifies the VRP based on the shared secret and sends information in a 2-5 message indicating that a connection is established between the RADIUS proxies of the visited network and the contracted network.

After the connection has been established, the V-R-P sends a message 2-1 'to H-R-P for verify the user. Message 2-1 'includes the necessary information in the user verification of the equipment of user that was included in message 2-1.

An advantage of this embodiment is that a single Database query is enough to find out both the IP address and additional information needed.

Depending on the implementation, in the embodiment described above the DNS may have been configured to always send additional information also in response to a query or only if information is requested additional in the query (message 2-2). In this implementation, the V-R-P is preferably configured to recognize situations in which additional information is requested and to indicate in a message query that in addition to the address, information is also desired additional. This can be done, for example, when using a different message or by adding, for example, an indicator in the query to indicate whether additional information is desired or not, or a combination thereof. An indicator can also consist of the fact that a query does not include an area name but a IP adress. You can also provide each information additional with a special message or a special indicator. So corresponding, in these embodiments, the DNS has to be configured to identify from the query what information  is desired.

Figure 3 shows the emission of signals and the operation of servers according to a second exemplary embodiment. As in Figure 2, the procedure in Figure 3 also begins when a RADIUS VRP proxy of the visited network receives a 3-1 registration request to register the UE user equipment. Registration application 3-1 corresponds to registration application 2-1.

After receiving the message 3-1, the V-R-P, of similar to the one described above, find out if the user is a user in a contracted network or if the user is a subscriber itinerant. In this example, the user is a roaming subscriber, and the V-R-P sends a query in a message 3-2a to a domain name server DNS The query includes the area name indicated by the name of Username.

The DNS searches its hierarchy for a data field that corresponds to the area name included in query 3-2, retrieves an IP address from it, and in this embodiment of the invention, sends it in a 3-3a message. After receiving the IP address in this way, the VRP sends a new query in a 3-2b message to the DNS domain name server. In message 3-2b, the VRP requests additional information related to the IP address. The DNS searches its hierarchy for a data field that includes a corresponding IP address. After finding such a data field, the DNS retrieves the additional information and sends it in a 3-3b message to the VRP. Message 3-2b may be the same message as message 3-2a, in which case the DNS identifies message 3-2b as a message requesting additional information based on the message that includes the IP address, or through another Indicator included the same. Alternatively, messages 3-2a and 3-2b may be different messages. Each additional information can also be provided with a special message or with a special indicator. Correspondingly, in these implementations, the DNS has to be configured to identify from the query what information is
want.

After receiving the information, the VRP separates the additional information, for example, a shared secret, from message 3-3b and sends it in a message 3-4 to the IP address included in message 3-3a, that is, in this example to the server, that is, the RADIUS HRP proxy , of the user's contracted network. The HRP verifies the VRP based on the shared secret and sends information in a 3-5 message indicating that there is an established connection between the RADIUS proxies of the visited network and the contracted network.

After the connection has been established, the V-R-P sends a message 3-1 'to H-R-P for verify the user. Message 3-1 'includes the necessary information in the user verification of the equipment of user that was included in message 3-1.

Although the invention has been described above assuming that the additional information is a shared secret, it will be apparent to one skilled in the art that the additional information may include information other than a shared secret or a key, in addition to that. Such information includes, for example, the version of a transmission protocol supported by the HRP. If the version does not support the version used by the VRP by default, the
VRP may have been configured to change the version of its transmission protocol to match the supported version.

In an embodiment of the invention, the Embodiments described in Figures 2 and 3 can be combined, so that the DNS is configured to return, in connection with a first consultation, the necessary secret in establishing the connection between servers, and the V-R-P is configured in connection with a second consultation to request another one separately additional information needed, for example, if the message delivery to H-R-P.

Although the invention has been described above as a closed system in which the DNS does not have to check if The issuer of a query has the right to be given information Additionally, the DNS may be configured to verify this. By example, if a server has requested a DNS server to determine the area name and in one response you want to receive two parameters A and B, such as an IP address and a secret, and the DNS server records have an entry that indicates that they are not You can access the particular area name without parameter C, the DNS server can also add parameter C to your response and / or inform in your response that the parameter is also necessary C.

The messages previously disclosed in connection with Figures 2 and 3 are only suggestive and may contain several different messages to deliver the same information. In addition, the messages may also comprise another information. Other messages can also be transmitted between posts. You can also skip some of the messages. By example, if the additional information is a version of a protocol supported by a receiver, the sender (that is, the V-R-P) is set to send the information in a message 2-1 'or 3-1 'by means of a message according to the version supported, and the messages don't have to be sent 2-4 and 2-5 or 3-4 and 3-5. In one embodiment, a network node is configured to request additional information necessary for the establishing the domain name server connection in response to a failed connection establishment. Depending of the operators and the system, others can also participate network nodes where they have decentralized differently functionalities in the delivery of information and in the issuance of signs.

Although the invention has been described above in connection with RADIUS proxy , it is clear to one skilled in the art that the invention can also be applied to connections between other servers, for example, in connection with servers used to implement a VPN (private network) technology. virtual). Above, RADIUS proxies are just examples of servers that need additional information to establish a connection between a server in a visited network and a corresponding server in a contracted network.

Although the invention has been described above mainly in connection with the delivery of secrets, the invention it can also be applied to any additional information that, by example, in the prior art solutions, in addition to a IP address query, has to be retrieved from a list configured statically. An example of such information additional is that the area names that reside on a DNS server they are divided into at least two groups and the DNS, along with a IP address corresponding to the area name, also returns information that indicates which group this area belongs to. If only I know allows a network node to communicate with entities that belong to the same group, the network node that requested the IP address can, based on this group information, conclude if the entity particular belongs or not to the same group, that is, if you lets communicate with her or not.

Although it has been previously disclosed invention describing the establishment of the connection between servers of a visited network and a contracted network, it is evident for one skilled in the art how the invention is applied to a establishment of the connection between different servers in the same network, as between two RADIUS servers on the same network.

In addition to the means necessary to implement the establishment of the connection between prior art servers, the telecommunications system, the network nodes and the domain name servers that implement the functionality according to the present invention each comprises means to find out, from the domain name server, the additional information necessary for establishing the connection. More precisely, they may comprise means to implement at least one embodiment described above. The current network nodes and domain name servers comprise processors and memory that can be used in the functions according to the invention. All changes and configurations required to implement the invention can be carried out as added or updated software routines and / or with application circuits (ASIC). Domain name servers may also need additional memory.

It will be apparent to a person skilled in the art that as technology advances, the basic idea of the invention in several different ways. Therefore, the invention and its embodiments are not restricted to the examples described above, but may vary within range of the claims.

Claims (13)

1. A method of delivering additional information in a telecommunications system comprising at least two verification servers (21, 41) and a domain name server (5) to convert the addresses of the servers (21, 41) of verification of a first format to a second format, characterized in that keep, on the domain name server, additional information (533) related to the server verification -specifically with the verification server- required in establishing a connection with the server verification in question from another verification server, including additional information at least one shared secret to be used by the verification server in question and the another verification server; receive (2-2) an inquiry in the domain name server; send (2-3) an answer to the query, including the answer at least the shared secret of Additional information 2. A procedure as claimed in the claim characterized in that the query includes a first address and requests a second address, and the second address and additional information in the response are sent (2-3). 3. A method as claimed in claim 1, characterized in that the additional information is sent (2-3) only if the query, directly or indirectly, indicates that additional information is requested. 4. A method as claimed in claim 3, characterized in that, if the query (2-2) includes a second address, the query requests additional information. 5. A method as claimed in any one of the preceding claims, characterized in that the additional information also includes additional information necessary in establishing the connection between the verification servers. 6. A method as claimed in any one of the preceding claims, characterized in that the query (2-2) is sent in response to a failed connection establishment. 7. A method as claimed in any one of the preceding claims, characterized in that at least part of the additional information is related to a protocol supported by verification. 8. A domain name server (5) for a telecommunications system comprising at least two verification servers (21, 41), the domain name server being configured to convert the addresses of the verification servers of a first format to a second format, characterized in that the domain name server (5) is configured to maintain additional information (533) related to the verification, specifically with the verification (53), necessary in establishing a connection with the server of verification in question from another verification server, including the additional information at least one shared secret to be used by the verification server in question and the other verification server, and, in response to a request, send in your response at least the Shared secret of additional information. 9. A server domain names as claimed in claim 8, characterized in that the server (5) of domain names is configured to separate queries relating to address conversion query related information, and to send additional information in response to a query related to additional information. 10. A domain name server as claimed in claim 8 or 9, characterized in that the domain name server (5) is a domain name server of a closed system. 11. A verification server (21) for a telecommunications system (100), said system comprising at least one other verification server (41) and a domain name server (5) to convert the addresses of the servers (21, 41) verification of a first format to a second format, characterized in that the verification server (21) is configured to request, from the domain name server, additional information (533) related to the verification server necessary in the establishment of a connection from the verification server to the other verification server, including additional information at least one shared secret, to receive as additional information at least one shared secret to be used with the other verification server, and to stop using the secret shared in connection establishment. 12. A verification server as claimed in claim 11, characterized in that the verification server (21) is configured to request additional information in response to establishing a connection with a verification server of another network.

         \ newpage
      

13. A verification server as claimed in claim 11 or 12, characterized in that the verification server (21) is configured to request additional information in response to a failed connection establishment.